Support

Admin Tools

#11227 Open Redirection protection

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 23 February 2012 05:38 CST

Thursday, 23 February 2012 05:28 CST

user47763
Joomla! version: 1.5.24
Host: (optional, but it helps us help you)
Admin Tools version: 2.1.10 Pro

Description of my issue:
Hi
I have a private website that requires users to login before viewing any pages.

I've been asked to add Open Redirect protection to the login page to prevent browser redirection and the possibility of a phishing attack.

I've been given this link to help explain the issue:
http://cwe.mitre.org/data/definitions/601.html

Before I undertake any major recoding, can you tell me if there is a setting or facility within Admin tools that will help me with this at all?

Thanks

Steve

Thursday, 23 February 2012 05:36 CST

nicholas
No, Admin Tools can't protect you against Open Redirection attacks. These are faults in the handling of otherwise innocuous user data inside your business logic. Admin Tools can protect you only against two related kinds of attacks, Cross Site Scripting (a.k.a. XSS, the attacker using malicious crafted data to force an Open Redirect through Javascript) and CSRF (Cross Site Request Forgery, making your site the target of an XSS or Open Redirect attack). In order to protect your users against Open Redirect you must make sure that any URL entered by a visitor will not cause under any circumstances a blind (immediate, without warning) redirection to the malicious URL.

The reason why Admin Tools can't protect you against an Open Redirect attack is that since it can't know the context of the query string parameters, it would end up blocking all requests containing a URL in the request parameters. This would throw too many false positives to be useful.

For what is worth, up-to-date versions of Joomla! do not suffer from such attacks, meaning that the core components are not susceptible to such an attack. The major components also do not suffer from this. As usual, you have to exercise caution about what you install on your site and make sure it's always up-to-date.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 23 February 2012 05:38 CST

user47763
Thanks very much for the prompt response Nicholas. All the best.

Thursday, 23 February 2012 05:38 CST

nicholas
You're welcome, Steve!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!